DNS-Settings on Network-Manager when using VPN

dns vpn network-manager vpnc

I recently updated to 19.04 and noticed some change in NetworkManager when using VPNs.

  • I want to use a VPN with an own local DNS-server, which is pushed from DHCP
  • I have seperate VPN profiles. One for a "full VPN" which installes a default-route to the remote network, and one "split tunnel" profile, having the setting for local resources only enabled

Since i updated to 19.04, NetworkManager seems to only use the pushed DNS server, what means when the default-route is allowed to install (when checkbox "use this connection only for resources on its network") is not checked.

Let NetworkManager install a default route:

~$ resolvectl status tun0
Link 16 (tun0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 192.168.1.1
         DNS Servers: 192.168.1.1
          DNS Domain: local.domain

activate checkbox for local resources only in the same vpn profile:

~$ resolvectl status tun0
Link 8 (tun0)
      Current Scopes: none
DefaultRoute setting: no
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

This setting was working independently from default-route-setting before, seems like it changed with new 19.04 NetworkManager (v1.16.0). Can anyone confirm?

Edit: This is a desktop installation. Here are some details:

~$ ls -al /etc/resolv.conf
lrwxrwxrwx 1 root root 39 Apr 20 15:41 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

~$ cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0
search uman.enbw.net

~$ cat /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

~$ cat /etc/netplan/*.yaml
# Let NetworkManager manage all devices on this system
network:
  version: 2
  renderer: NetworkManager

Solution 1:

I googled here and have exactly the same issue too. (Ubuntu 19.04)

For me, this answer solved.

nmcli c modify <vpn-settings-name> ipv4.dns-search '<domain>'

You should specify <vpn-settings-name> that corresponds to a VPN setting name in GUI. And <domain> is the domain name you want to search via DNS in the remote network.

After reconnecting to VPN, systemd-resolved status ppp0 shows

Link 6 (ppp0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 192.168.1.1
         DNS Servers: 192.168.1.1 (<--- my dns)
                      192.168.1.10
          DNS Domain: corp

Solution 2:

Just adding to soymsk's answer. It seems that the DNS server from the VPN connection will be used if either:

  • The VPN is set to be used for all traffic
  • There is a DNS Search Domain associated with the VPN connection

As soymsk suggested, you can set the search domain on the client using nmcli.

If you're in control of the VPN server it's probably better to push out the DNS Search Domain from the VPN server. That way you don't have to set it on each client.

I added the following line to /etc/openvpn/server.conf on my VPN server and it had the same effect as setting the DNS Search Domain on the client:

push "dhcp-option DOMAIN <domain>"

Where <domain> is the domain you want added to any unqualified host names you try to access (the domain of your local network). the important thing seems to be that a DNS Search Domain is set for the VPN connection, it doesn't matter how the DNS Search Domain is se

Related

How to prevent Ubuntu from switching default audio output device to Analog Output when docked? [duplicate]
apt-get install unexpectedly removed Firefox
Definition of Arp result flags?
Percent sign (%) in front of shell command
what are these tmpfs partitions/folders for and how to remove them?
The Windows 10 onscreen keyboard does not launch automatically
Running VMware on Windows 10 (not the other way around)
What Font does Notepad use to display e.g. Hebrew, when it claims to use Lucida Console but Lucida Console doesn't have those characters?
How to change win10 taskbar text color from BLACK to WHITE?
Firefox change tab title
Is there something like EXIF for video?
Under what conditions will a group-regulated PSU damage a modern computer?